DocsICP FilingConsole
官方文档
首页

Malicious behavior defense

更新时间:
复制 MD 格式
产品详情
我的收藏

Malicious Behavior Defense identifies, blocks, and responds to malicious activities on your servers. Learn how to configure system and custom defense rules to protect your assets.

Scenarios

Malicious Behavior Defense supports system defense rules and custom defense rules.

Important

Custom defense rules take precedence over system defense rules.

Rule type

Description

system defense rule

System defense rules include two types: Network Threat Prevention and Process Protection.

  • Network Threat Prevention: Security Center automatically blocks and handles basic network attacks based on Network Threat Prevention rules. You can view attack-related data on the Network Defense Alert page under Detection and Response > Alert.

  • Process Protection: Security Center generates Precise Defense alerts based on Process Protection rules. You can view and handle these alerts on the Precise Defense tab under Detection and Response > Alert.

custom defense rule

Create Custom Defense Rule to allow or block specific behaviors. Best practices for custom defense rules in Malicious Behavior Defense.

Manage system defense rules

Process Defense is available in the Advanced edition of Security Center. The Enterprise and Ultimate editions include all system defense rules.

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management. In the upper-left corner of the console, select the region for your assets: Chinese Mainland or Outside Chinese Mainland.

  3. On the Malicious Behavior Defense page, click the System Defense Rule tab to find and manage the target system defense rule.

    • Enable or disable a rule

      You can disable a rule that is unsuitable for your business or affects your asset's security score.

      Important

      After you disable a system defense rule, Security Center stops detecting and reporting its associated security risks. As a result, related alerts will not appear on the Alert page. Proceed with caution.

      1. Select one or more target rules.

      2. Click Enable or Disable below the rule list.

    • Manage hosts

      Important

      After you remove an asset from a rule, that rule no longer protects the asset. Proceed with caution.

      1. Find the system defense rule you want to manage and click Manage Host in the Actions column.

      2. In the Host Management panel, add or remove assets for the rule, and then click OK.

Create custom defense rules

To prevent false positives for normal business activities, create a custom defense rule to allowlist specific behaviors such as a command line or process hash.

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management. In the upper-left corner of the console, select the region for your assets: Chinese Mainland or Outside Chinese Mainland.

  3. On the Malicious Behavior Defense page, click the Custom Defense Rule tab, and then click Create Rule.

  4. In the Create Rule panel, select a Rule Type based on your business needs, configure the parameters, set the Action for the rule, and then click Next.

    Parameters vary by rule type. Available allowlist rule types:

    • Process hash

    • Command line

    • Process Network

    • File Read/Write

    • Registry Operation

    • Load Dynamic-link Library

    • File Rename

    Configuration examples: Best practices for custom defense rules in Malicious Behavior Defense.

  5. In the Create Rule panel, select the assets to apply the rule to, and then click Complete.

    New custom rules are enabled by default. You can edit rules and manage their target servers afterward.

View and handle security alerts

Alert types and handling methods vary by rule type.

Process defense

Security Center generates Precise Defense alerts based on Process Protection rules. To view and handle these alerts:

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Detection and Response > Alert. In the upper-left corner of the console, select the region for your assets: Chinese Mainland or Outside Chinese Mainland.

    Note

    If you have enabled Agentic SOC, in the left-side navigation pane, choose Agentic SOC > Manage > Alert. In the upper-left corner of the console, select the region for your assets: Chinese Mainland or Outside Chinese Mainland.

  3. On the Alert page, click the CWPP tab, and then click the number under Precise Defense.

    image

  4. In the alert list, view the automatically blocked alerts. For false positives, click Details in the Actions column and handle as follows.

    Example: handling a false positive for Suspicious Worm Script Behavior.

    In the alert details panel, record the following information:

    • Record the name of the system defense rule that detected and reported the alert. In this example, the rule is Malicious Destruction of Client Process.

    • Record the alert's ATT&CK Phase. In this example, it is Impact and Damage.

    • Record the name and IP address of the affected asset.

    image

  5. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management. In the upper-left corner of the console, select the region for your assets: Chinese Mainland or Outside Chinese Mainland.

  6. In the list of system defense rules, find the rule that reported the alert.

    • To find the rule, enter its name, Suspicious Worm Script Behavior, in the search box.

    • You can also find the rule by clicking Impact and Damage in the ATT&CK Phase menu on the left.

  7. In the system defense rule list, locate the rule named Suspicious Worm Script Behavior and manage it.

    • To stop alerts from this rule, click the Toggle icon in the Switch column to disable it.

      Important

      After you disable a system defense rule, Security Center stops detecting and reporting security risks associated with that rule. As a result, related alerts will not appear on the Alert page. Proceed with caution.

    • To handle only this false positive, click Manage Host in the Actions column and remove the affected asset from the rule's protection list.

      Alternatively, handle the false positive on the Alert page. Assess and handle security alerts.

      Important

      To restore protection after handling this alert, add the asset back on the System Defense Rules tab of the Malicious Behavior Defense page.

Network defense

Based on Network Threat Prevention rules, Security Center automatically blocks basic network attacks and displays related data on the Security Alerts > Network Defense Alert page. Network defense alerts (formerly Attack Analysis).

Important

  • For newly purchased cloud products, you must wait about 3 hours for Security Center to synchronize network attack data before you can view related attack analysis information.

  • Defensive alerts indicate that attacks are automatically blocked by Security Center. No manual action is required.

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Detection and Response > Alert. In the upper-left corner of the console, select the region for your assets: Chinese Mainland or Outside Chinese Mainland.

    Note

    If you have enabled Agentic SOC, in the left-side navigation pane, choose Agentic SOC > Manage > Alert. In the upper-left corner of the console, select the region for your assets: Chinese Mainland or Outside Chinese Mainland.

  3. On the Alert page, click the CWPP tab, and then click the number under Network Defense Alert to view related information.

    image

Previous:Use the host-specific rule management featureNext:Defense against brute-force attacks